[apparmor] dynamic profiles
Steve Beattie
steve at nxnw.org
Thu Aug 5 19:03:30 BST 2010
On Thu, Aug 05, 2010 at 01:31:30AM -0700, John Johansen wrote:
> but not having a leading '/' does not mean its dynamic. It is merely
> a profile that doesn't automatically attach to an unconfined task.
> This means that it is only available through change_profile, named
> transitions or inheritance.
>
> I will give you that currently libvirt is the only user of the feature,
> in the reference profile set, but I have created and seen profiles
> that don't.
Right, I think there's an expectation that the rewritten pam_apparmor
that make us of change_profile will probably have profiles that aren't
correlated with the filesystem namespace (i.e. don't begin with '/').
These profiles will not be dynamic.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100805/95fa87e0/attachment.pgp
More information about the AppArmor
mailing list